GitHub - google/nsjail: A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.Overview What forms of isolation does it provide Which use-cases are supported Isolation of network services (inetd style) Isolation with access to a private, cloned interface (requires root/setuid) Isolation of local processes Isolation of local processes (and re-running them, if necessary) Examples of use Bash in a minimal file-system with uid==0 and access to /dev/urandom only /usr/bin/find in
